Python yara.compile() Examples
The following are 30
code examples of yara.compile().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
yara
, or try the search function
.
.
Example #1
| Source File: shell.py From unipacker with GNU General Public License v2.0 | 7 votes |
|
def do_yara(self, args):
"""Run YARA rules against the sample
Usage: yara [<rules_path>]
If no rules file is specified, the default 'malwrsig.yar' is being used.
Those rules are then compiled and checked against the memory dump of the current emulator state (see 'dump' for further
details on this representation)"""
if not args:
if not self.rules:
try:
self.rules = yara.compile(filepath=f"{os.path.dirname(unipacker.__file__)}/malwrsig.yar")
print("Default rules file used: malwrsig.yar")
except:
print(f"{Fore.LIGHTRED_EX}Error: malwrsig.yar not found!{Fore.RESET}")
else:
self.rules = yara.compile(filepath=args)
self.sample.unpacker.dump(self.engine.uc, self.engine.apicall_handler, self.sample)
matches = self.rules.match("unpacked.exe")
print(", ".join(map(str, matches)))
Example #2
| Source File: peekabooyar.py From PeekabooAV with GNU General Public License v3.0 | 6 votes |
|
def evaluate(self, s):
rules = yara.compile(
source='''
rule peekabooyar
{
strings:
$peekabooyar1 = "X5O!P%@AP-/_(:)_/-X22x8cz2$PeekabooAV-STD-ANTIVIRUS-TEST-FILE!$H+H*"
condition:
$peekabooyar1
}'''
)
# FIXME: Only user of file_path. Remove?
with open(s.file_path, 'rb') as sample_file:
matches = rules.match(data=sample_file.read())
if matches != []:
return self.result(Result.bad,
"Die Datei beinhaltet Peekabooyar",
False)
return self.result(Result.unknown,
"Die Datei beinhaltet kein erkennbares Peekabooyar",
True)
Example #3
| Source File: yarascanner.py From rekall with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, *args, **kwargs):
"""Scan using yara signatures."""
super(YaraScanMixin, self).__init__(*args, **kwargs)
# Compile the yara rules in advance.
if self.plugin_args.yara_expression:
self.rules_source = self.plugin_args.yara_expression
self.rules = yara.compile(source=self.rules_source)
elif self.plugin_args.binary_string:
self.compile_rule(
'rule r1 {strings: $a = {%s} condition: $a}' %
self.plugin_args.binary_string)
elif self.plugin_args.string:
self.compile_rule(
'rule r1 {strings: $a = "%s" condition: $a}' %
self.plugin_args.string)
elif self.plugin_args.yara_file:
self.compile_rule(open(self.plugin_args.yara_file).read())
elif not self.ignore_required:
raise plugin.PluginError("You must specify a yara rule file or "
"string to match.")
Example #4
| Source File: fileparser.py From RATDecoders with MIT License | 6 votes |
|
def dotnet_resource_names(self):
"""
Read .NET Resources and return a list of resource names
:return: list
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
resource_list = []
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
resource_list.append(resource['name'])
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return resource_list
Example #5
| Source File: fileparser.py From RATDecoders with MIT License | 6 votes |
|
def dotnet_resource_by_name(self, resource_name):
"""
Extract a .NET Resource by name
:param resource_name:
:return:
"""
try:
rules = yara.compile(source='import "dotnet" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara DotNet did you enable it?")
def modules_callback(data):
for i, resource in enumerate(data.get('resources', [])):
if resource['name'] == resource_name:
offset = resource['offset']
length = resource['length']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example #6
| Source File: fileparser.py From RATDecoders with MIT License | 6 votes |
|
def elf_list_sections(self):
"""
Read a list of sections from an elf binary
:return: list of section names
"""
try:
rules = yara.compile(source='import "elf" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara ELF did you enable it?")
section_names = []
def modules_callback(data):
for i, section in enumerate(data.get('sections', [])):
section_names.append(section['name'].decode('utf-8'))
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return section_names
Example #7
| Source File: fileparser.py From RATDecoders with MIT License | 6 votes |
|
def elf_section_by_name(self, resource_name):
"""
Extract an elf section by name
:param resource_name:
:return:
"""
try:
rules = yara.compile(source='import "elf" rule a { condition: false }')
except yara.SyntaxError:
print("Error using Yara ELF did you enable it?")
def modules_callback(data):
for i, section in enumerate(data.get('sections', [])):
if section['name'].decode('utf-8') == resource_name:
offset = section['offset']
length = section['size']
self.res_data = self.file_data[offset:offset + length]
return yara.CALLBACK_CONTINUE
rules.match(data=self.file_data, modules_callback=modules_callback)
return self.res_data
Example #8
| Source File: linux_truecrypt.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example #9
| Source File: poisonivy.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
Example #10
| Source File: pdf-parser.py From ACE with Apache License 2.0 | 6 votes |
|
def YARACompile(ruledata):
if ruledata.startswith('#'):
if ruledata.startswith('#h#'):
rule = binascii.a2b_hex(ruledata[3:])
elif ruledata.startswith('#b#'):
rule = binascii.a2b_base64(ruledata[3:])
elif ruledata.startswith('#s#'):
rule = 'rule string {strings: $a = "%s" ascii wide nocase condition: $a}' % ruledata[3:]
elif ruledata.startswith('#q#'):
rule = ruledata[3:].replace("'", '"')
else:
rule = ruledata[1:]
return yara.compile(source=rule)
else:
dFilepaths = {}
if os.path.isdir(ruledata):
for root, dirs, files in os.walk(ruledata):
for file in files:
filename = os.path.join(root, file)
dFilepaths[filename] = filename
else:
for filename in ProcessAt(ruledata):
dFilepaths[filename] = filename
return yara.compile(filepaths=dFilepaths)
Example #11
| Source File: yara_fn.py From idawilli with Apache License 2.0 | 6 votes |
|
def test_yara_rule(rule):
'''
try to match the given rule against each segment in the current exectuable.
raise TestDidntRunError if its not possible to import the YARA library.
return True if there's at least one match, False otherwise.
'''
try:
import yara
except ImportError:
logger.warning("can't test rule: failed to import python-yara")
raise TestDidntRunError('python-yara not available')
r = yara.compile(source=rule)
for segment in get_segments():
matches = r.match(data=segment.buf)
if len(matches) > 0:
logger.info('generated rule matches section: {segment.name}')
return True
return False
Example #12
| Source File: yara_scanner.py From Python-Digital-Forensics-Cookbook with MIT License | 6 votes |
|
def main(yara_rules, path_to_scan, output):
if os.path.isdir(yara_rules):
yrules = yara.compile(yara_rules)
else:
yrules = yara.compile(filepath=yara_rules)
if os.path.isdir(path_to_scan):
match_info = process_directory(yrules, path_to_scan)
else:
match_info = process_file(yrules, path_to_scan)
columns = ['rule_name', 'hit_value', 'hit_offset', 'file_name',
'rule_string', 'rule_tag']
if output is None:
write_stdout(columns, match_info)
else:
write_csv(output, columns, match_info)
Example #13
| Source File: rat.py From CIRTKit with MIT License | 6 votes |
|
def auto(self):
if not HAVE_YARA:
self.log('error', "Missing dependency, install yara (see http://plusvic.github.io/yara/)")
return
if not __sessions__.is_set():
self.log('error', "No session opened")
return
rules = yara.compile(os.path.join(CIRTKIT_ROOT, 'data/yara/rats.yara'))
for match in rules.match(__sessions__.current.file.path):
if 'family' in match.meta:
self.log('info', "Automatically detected supported RAT {0}".format(match.rule))
self.get_config(match.meta['family'])
return
self.log('info', "No known RAT detected")
Example #14
| Source File: check.py From SSMA with GNU General Public License v3.0 | 6 votes |
|
def is_malware(filename):
if not os.path.exists("rules_compiled/malware"):
os.mkdir("rules_compiled/malware")
for n in os.listdir("rules/malware/"):
if not os.path.isdir("./" + n):
try:
rule = yara.compile("rules/malware/" + n)
rule.save("rules_compiled/malware/" + n)
rule = yara.load("rules_compiled/malware/" + n)
m = rule.match(filename)
if m:
return m
except:
pass # internal fatal error or warning
else:
pass
# Added by Yang
Example #15
| Source File: linux_truecrypt.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example #16
| Source File: yara_mocks.py From binaryalert with Apache License 2.0 | 6 votes |
|
def save_test_yara_rules(rules_save_file: str, empty_rules_file: bool = False):
"""Save compiled test YARA rules to the filesystem, which should already be mocked.
Args:
rules_save_file: Path to rules save file.
empty_rules_file: If true, writes an empty rules file.
"""
if empty_rules_file:
sources = {'empty.yar': ''}
else:
sources = {'evil_check.yar': EVIL_STRING_RULE, 'externals.yar': RULES_WITH_VARIABLES}
# Compile YARA rules and save them as an in-memory binary string.
rules = yara.compile(
sources=sources,
externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
rule_data = io.BytesIO()
rules.save(file=rule_data)
rule_data.seek(0)
# Save the files to the mock filesysytem.
with open(rules_save_file, 'wb') as file:
file.write(rule_data.read())
Example #17
| Source File: compile_rules.py From binaryalert with Apache License 2.0 | 6 votes |
|
def compile_rules(target_path: str) -> None:
"""Compile YARA rules into a single binary rules file.
Args:
target_path: Where to save the compiled rules file.
"""
# Each rule file must be keyed by an identifying "namespace"; in our case the relative path.
yara_filepaths = {relative_path: os.path.join(RULES_DIR, relative_path)
for relative_path in _find_yara_files()}
# Compile all available YARA rules. Note that external variables are defined but not set;
# these will be set at runtime by the lambda function during rule matching.
rules = yara.compile(
filepaths=yara_filepaths,
externals={'extension': '', 'filename': '', 'filepath': '', 'filetype': ''})
rules.save(target_path)
Example #18
| Source File: poisonivy.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
Example #19
| Source File: linux_truecrypt.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example #20
| Source File: linux_truecrypt.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if str(task.comm) != "truecrypt":
continue
space = task.get_process_address_space()
if not space:
continue
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = {40 00 00 00 ?? 00 00 00} condition: $a}'
})
scanner = PassphraseScanner(task = task, rules = rules)
for address, password in scanner.scan():
yield task, address, password
Example #21
| Source File: yara_analyzer.py From Cortex-Analyzers with GNU Affero General Public License v3.0 | 6 votes |
|
def __init__(self):
Analyzer.__init__(self)
self.rulepaths = self.get_param('config.rules', None, 'No paths for rules provided.')
if isinstance(self.rulepaths, str):
self.rulepaths = [self.rulepaths]
self.ruleset = []
for rulepath in self.rulepaths:
if os.path.isfile(rulepath):
if rulepath[len(rulepath)-3:] == 'yar':
self.ruleset.append(yara.compile(rulepath))
elif rulepath[len(rulepath)-3:] == 'yas':
self.ruleset.append(yara.load(rulepath))
elif os.path.isdir(rulepath):
if os.path.isfile(rulepath + '/index.yas'):
self.ruleset.append(yara.load(rulepath + '/index.yas'))
elif os.path.isfile(rulepath + '/index.yar'):
self.ruleset.append(yara.compile(rulepath + '/index.yar'))
Example #22
| Source File: yara.py From omnibus with MIT License | 6 votes |
|
def run(self):
results = {'matches': {}}
all_rules = list_dir(self.rules)
for r in all_rules:
rule = yara.compile(r)
matches = rule.match(data=open(self.artifact['path'], 'rb').read())
for m in matches:
if m.rule not in results['matches'].keys():
results['matches'][m.rule] = []
for tag in m.tags:
if tag not in results['matches'][m.rule]:
results['matches'][m.rule].append(tag)
self.artifact['data']['yara'] = results
Example #23
| Source File: yara_fn.py From ida_haru with Apache License 2.0 | 6 votes |
|
def test_yara_rule(rule):
'''
try to match the given rule against each segment in the current exectuable.
raise TestDidntRunError if its not possible to import the YARA library.
return True if there's at least one match, False otherwise.
'''
try:
import yara
except ImportError:
logger.warning("can't test rule: failed to import python-yara")
raise TestDidntRunError('python-yara not available')
r = yara.compile(source=rule)
for segment in get_segments():
if segment.buf is not None:
matches = r.match(data=segment.buf)
if len(matches) > 0:
logger.info('generated rule matches section: {:s}'.format(segment.name))
return True
return False
Example #24
| Source File: shell.py From unipacker with GNU General Public License v2.0 | 5 votes |
|
def do_x(self, args):
"""Dump memory at a specific address.
Usage: x [/n] [{FORMAT}] LOCATION
Options:
n integer, how many items should be displayed
Format: Either 'byte', 'int' (32bit) or 'str' (zero-terminated string)
Location: address (decimal or hexadecimal form) or a $-prefixed register name (use the register's value as the
destination address)"""
try:
x_regex = re.compile(r"(?:/(\d*) )?(?:{(byte|int|str)} )?(.+)")
result = x_regex.findall(args)
if not result:
print("Error parsing command")
return
n, t, addr = result[0]
n = int(n, 0) if n else 1
t = t or "int"
if "$" in addr:
alias = addr[1:]
addr = get_reg_values(self.engine.uc)[alias]
else:
alias = ""
addr = int(addr, 0)
self.print_mem(addr, n, t, alias)
except Exception as e:
print(f"Error parsing command: {e}")
Example #25
| Source File: unpackers.py From unipacker with GNU General Public License v2.0 | 5 votes |
|
def identifypacker(sample, yar):
rules = yara.compile(filepath=yar)
matches = rules.match(sample)
result = generate_label(matches)
if result == 'unknown':
print(f"The packer used for {sample} is unknown. Using default unpacker")
return 'unknown', matches
return result, matches
Example #26
| Source File: fileparser.py From RATDecoders with MIT License | 5 votes |
|
def unicode_strings(self, min_len=4):
string_list = []
chars = r" !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t"
regexp = b'((?:[%s]\x00){%d,})' % (chars, min_len)
pattern = re.compile(regexp)
for s in pattern.finditer(self.file_data):
string_list.append(s.group())
Example #27
| Source File: objects.py From CuckooSploit with GNU General Public License v3.0 | 5 votes |
|
def get_yara(self, rulepath=os.path.join(CUCKOO_ROOT, "data", "yara", "index_binaries.yar")):
"""Get Yara signatures matches.
@return: matched Yara signatures.
"""
matches = []
if HAVE_YARA:
if os.path.getsize(self.file_path) > 0:
if not os.path.exists(rulepath):
log.warning("The specified rule file at %s doesn't exist, skip",
rulepath)
return
try:
rules = yara.compile(rulepath, error_on_warning=True)
for match in rules.match(self.file_path):
strings = []
for s in match.strings:
# Beware, spaghetti code ahead.
try:
new = s[2].encode("utf-8")
except UnicodeDecodeError:
s = s[2].lstrip("uU").encode("hex").upper()
s = " ".join(s[i:i+2] for i in range(0, len(s), 2))
new = "{ %s }" % s
if new not in strings:
strings.append(new)
matches.append({"name": match.rule,
"meta": match.meta,
"strings": strings})
except Exception as e:
log.warning("Unable to match Yara signatures: %s", e)
else:
if not File.notified_yara:
File.notified_yara = True
log.warning("Unable to import yara (please compile from sources)")
return matches
Example #28
| Source File: malscan.py From MalScan with BSD 2-Clause "Simplified" License | 5 votes |
|
def check_yara(file):
rule = yara.compile(yarasig)
result = rule.match(file)
return result
# taken From OpenSource AnalyzePE Program
Example #29
| Source File: mac.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _shell_variables(self, proc_as, pack_format, addr_sz, htable_type):
if has_yara == False:
return
nbuckets_offset = self.obj_vm.profile.get_obj_offset(htable_type, "nbuckets")
if addr_sz == 4:
edata_type = "mac32_envdata"
else:
edata_type = "mac64_envdata"
seen_ptr = {}
s = "{ 40 00 00 00 }"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
scanner = BashEnvYaraScanner(task = self, rules = rules)
for hit, off in scanner.scan():
htable = obj.Object(htable_type, offset = off - addr_sz, vm = proc_as)
if not htable.is_valid():
continue
for ent in htable:
if not ent.m("key").is_valid():
continue
if self._valid_string(ent.key):
key = str(ent.key)
else:
key = ""
val_addr = ent.data.dereference_as(edata_type).value
if val_addr.is_valid() and self._valid_string(val_addr.dereference()):
val = str(val_addr.dereference())
else:
val = ""
if len(key) > 0 and len(val) > 0:
yield key, val
Example #30
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Option for case insensitive searches
if self._config.CASE: s += " nocase"
# Scan for unicode and ascii strings
if self._config.WIDE: s += " wide ascii"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE and os.path.isfile(self._config.YARA_FILE):
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))
